The pre-1.3* builds of RootkitRevealer were being circumvented by adding the RootkitRevealer executable (rootkitrevealer.exe) as a "root" process to the Hacker Defender config file. Since nothing is hidden from "root" processes, RootkitRevealer could not find the hidden components of the rootkit. With 1.30/1.31, RootkitRevealer creates and executes randomly named copies of itself in \system32.

In normal mode, PG blocks the first attempt to install a driver/service. After that, you have the option to allow driver/service install for that executable. Unfortunately, the next time you run RootkitRevealer, the name of the executable changes and the old executable is deleted.

At minimum, you have to disable driver/service protection (in PG's Main tab) in order scan with RootkitRevealer.

You are right, Learning Mode does not work. However, I was able to install OK by disabling protection in ProcessGuard.

One other thing I don't understand; I run TDS as well as ProcessGuard. If both are active, it is ProcessGuard that stops the installation of RootkitRevealer, but if I try to run Steve Gibson's Leaktest it is TDS that stops the execution of that program, NOT ProcessGuard.